Company Blog

Least Authority Performs Security Audit For Cryptocat

This is the second post in our series about security audits of Free and
Open Source end-to-end encryption software. The first post in the series
was about our security audit of SpiderOak's crypton project.

Our mission at LeastAuthority is to bring verifiable end-to-end
security to everyone.

As part of that mission, in addition to operating the S4 simple secure
storage service, we also perform security consulting. We
LeastAuthoritarians have extensive experience in security and
cryptography, and other companies sometimes ask us to analyze the
security of their protocols and software.

We audited the widely-used Cryptocat encrypted chat program. This
audit was funded by Open Technology Fund as part of their Red Team
project to provide multiple professional security audits to Internet
freedom projects.

What were the results?

We found several security issues in the version of Cryptocat that we
examined (Cryptocat v2.1.15). For each one, we reported it to the
Cryptocat developers, and they have either deployed a fix in a newer
release of Cryptocat or else disabled the feature that has the
vulnerability.

The complete list of the issues we found is at the end of this article,
along with a link to the report document.

Unfortunately we didn't have time to examine all parts of Cryptocat that
we wanted to. We concentrated on the “crypto-related” parts: key
generation and key management, random number generation, encryption and
decryption, authentication and integrity, and the new file transfer
feature. Most of the issues that we found were in those areas.

Our report explains what parts of it we looked at most closely (this is
called the "coverage" results of the audit).

parting thoughts

I would like to thank the Cryptocat project, led by Nadim Kobeissi, for
their commitment to doing development in the open, inviting external
review, and moving to address the issues we uncovered. This open
development process is a good complement to Cryptocat's Free and Open
Source publication of their code and their commitment to providing
end-to-end security for their users.

On top of that, I'd like to thank Cryptocat for their unflagging focus on
usability. Usability is a critical factor if we are going to succeed at
bringing verifiable end-to-end security to everyone, and it is an area
where we as a community and as a society need to improve.

Any questions?

If you have any questions about these results or the process, please
contact us or the Cryptocat developers.